The allowing of SSL3 was done to inter-op with those clients which doesn't support TLS.

There is a way to be immune to POODLE attack with SSLv3. Disallow CBC-mode cipher suites in SSLv3.

Now,if I disable CBC-mode ciphers from my application, it affects TLS as well (Have one for one Server Interface). Is there a way I can disallow CBC-mode cipher only on SSL3 connections but use them for TLS connections?

Edit:

Following shows in brief about how loading cipher suites into OpenSSL's CTX object:

How exactly are you disabling CBC-mode ciphers?
– PolynomialMar 23 '15 at 10:50

@Polynomial By controlling the input to SSL_CTX_set_cipher_list(...)
– PrabhuMar 23 '15 at 11:11

Can you post what you're passing to that function? From my understanding, there are two ways to do it: (1) use the - prefix to disable the block ciphers (AES, DES3, etc.) then follow it by +TLSv1+TLSv1.2 and then more - prefixed strings to disable any ciphers globally (e.g. export), or (2) manually maintain a list of full cipher strings with flags about when they should or shouldn't be enabled, and build a full list from that depending on options.
– PolynomialMar 23 '15 at 11:21

1

Duplicate of security.stackexchange.com/questions/42083/… which was motivated by BEAST. The answer still is you can't do it with configuration. Note for SSL3 (and TLS1.0 and 1.1) the only non-padded option is RC4, and RC4 is today much more badly weakened by the RHUL group than 3 years ago when it was recommended to mitigate BEAST; OTOH POODLE appears nastier. @Polynomial there are quite a few ways to build an OpenSSL cipherlist but none of them can enable a ciphersuite for only some versions.
– dave_thompson_085Mar 23 '15 at 15:54